diff --git a/.gitignore b/.gitignore index 35e453f..712fa4a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,8 @@ charts node_modules target -values2.yml -values2.yaml +!values.yaml +!values.yml +values*.yaml +values*.yml *.tgz - -install.sh -uninstall.sh \ No newline at end of file diff --git a/Makefile b/Makefile index e3b4fe6..8771cf7 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,25 @@ NODE_IMAGE_FULLY_QUALIFIED=${NODE_IMAGE_REGISTRY_HOST}/${NODE_IMAGE_REPOSITORY}: missing-dot: grep --perl-regexp '## @(param|skip).*[^.]$$' values.yaml +# README +# ============================================================================== +readme: readme/link readme/lint readme/parameters + +readme/link: + npm install && npm run readme:link + +readme/lint: + npm install && npm run readme:lint + +readme/parameters: + npm install && npm run readme:parameters + +# HELM UNITTESTS +# ============================================================================== +PHONY+=helm/unittest +helm/unittest: + helm unittest --strict --file 'unittests/**/*.yaml' ./ + # CONTAINER RUN - README # ============================================================================== PHONY+=container-run/readme diff --git a/README.md b/README.md index 01b093e..9e63bf7 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,10 @@ certificate can be used the [cert-manager](https://cert-manager.io/). The chart certificate via `cert-manager.io/v1 Certificate` resource. Alternatively can be mounted a TLS certificate from a secret. The secret must be from type `kubernetes.io/tls`. +If athens-proxy is deployed behind a reverse proxy, for example an ingress nginx controller or Gateway API, please +instruct the reverse proxy to establish a TLS encrypted connection to avoid connection problems. The documentation +describes configuring [Ingress NGINX](#ingress-nginx) as well as [NGINX Gateway Fabric](#gatewayapi-nginx-fabric). + > [!WARNING] > The following example expects that the [cert-manager](https://cert-manager.io/) is deployed and the `Issuer` named > `athens-proxy-ca` is present in the same namespace of the helm deployment. @@ -111,6 +115,110 @@ helm install --version "${CHART_VERSION}" athens-proxy volker.raschek/athens-pro The environment variables `ATHENS_TLSCERT_FILE` and `ATHENS_TLSKEY_FILE` are automatically added and the TLS certificate and private key are mounted to a pre-defined destination inside the container file system. +##### Ingress NGINX + +The following changes must be applied to enable TLS encryption and authentication on-top between the ingress and backend +service. + +> [!IMPORTANT] +> The HTTP Version between the ingress nginx and backend must be set to `1.1`, as well as the TLS protocol must be set +> to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection. + +The secret `athens-proxy/ingress-nginx-controller-tls` contains TLS certificates for the nginx ingress controller. The +TLS certificate must be created manually, for example via [cert-manager](https://cert-manager.io/). It is used by the +nginx for TLS authentication. + +```yaml +ingress: + enabled: true + className: "nginx" + annotations: + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/proxy-http-version: "1.1" + nginx.ingress.kubernetes.io/proxy-ssl-secret: athens-proxy/ingress-nginx-controller-tls + nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1.2 + nginx.ingress.kubernetes.io/proxy-ssl-name: athens-proxy + nginx.ingress.kubernetes.io/proxy-ssl-verify: "on" +``` + +##### GatewayAPI: NGINX Fabric + +The following changes must be applied to enable TLS encryption and authentication on-top between the gateway and backend +service. + +> [!IMPORTANT] +> The HTTP Version between the nginx gateway fabric and backend must be set to `1.1`, as well as the TLS protocol must +> be set to `TLSv1.2`. Otherwise can't the nginx establish a TLS connection. + +The `gatewayAPI.core.backendTLSPolicy.validation.caCertificateRefs` must contain at least one secret containing the +root or intermediate certificate of the issued TLS certificate used by athens-proxy to be able to validate the TLS +certificate. + +```yaml +gatewayAPI: + enabled: true + core: + backendTLSPolicy: + enabled: true + validation: + caCertificateRefs: + - group: "" + kind: Secret + name: "athens-proxy-ca" + hostname: "athens-proxy" + + httpRoute: + enabled: true + hostnames: + - athens-proxy.example.local + parentRefs: + - name: nginx + kind: Gateway + group: gateway.networking.k8s.io + namespace: my-gateway-namespace + sectionName: athens-proxy-https +``` + +The Gateway resource is not part of the helm chart, but for illustrating the configuration example, here a GatewayAPI +resource with configured backend TLS certificate. The TLS certificates `gateway-frontend-tls` and `gateway-backend-tls` +must also be created manually, for example via [cert-manager](https://cert-manager.io/). + +```yaml +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: nginx + namespace: my-gateway-namespace +spec: + gatewayClassName: nginx + listeners: + - allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespaces: + from: All + hostname: athens-proxy.example.local + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: '' + kind: Secret + name: gateway-frontend-tls + namespace: my-gateway-namespace + mode: Terminate + tls: + backend: + clientCertificateRef: + group: '' + kind: Secret + name: gateway-backend-tls + namespace: my-gateway-namespace +``` + #### TLS certificate rotation If the application uses TLS certificates that are mounted as a secret in the container file system like the example @@ -198,6 +306,13 @@ networkPolicies: podSelector: matchLabels: app.kubernetes.io/name: ingress-nginx + # NGINX GatewayAPI Fabric + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: gateway-nginx + podSelector: + matchLabels: + app.kubernetes.io/name: gateway-nginx ports: - port: http protocol: TCP @@ -438,6 +553,30 @@ spec: | `networkPolicy.egress` | Concrete egress network policy implementation. | `[]` | | `networkPolicy.ingress` | Concrete ingress network policy implementation. | `[]` | +### GatewayAPI + +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `gatewayAPI.enabled` | Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller. | `false` | +| `gatewayAPI.core.backendTLSPolicy.enabled` | Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`. | `false` | +| `gatewayAPI.core.backendTLSPolicy.annotations` | Additional annotations for the BackendTLSPolicy. | `{}` | +| `gatewayAPI.core.backendTLSPolicy.labels` | Additional labels for the BackendTLSPolicy. | `{}` | +| `gatewayAPI.core.backendTLSPolicy.validation` | Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod. | `{}` | +| `gatewayAPI.core.httpRoute.enabled` | Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `services.http.enabled` to be `true`. | `false` | +| `gatewayAPI.core.httpRoute.annotations` | Additional annotations for the HTTPRoute. | `{}` | +| `gatewayAPI.core.httpRoute.labels` | Additional labels for the HTTPRoute. | `{}` | +| `gatewayAPI.core.httpRoute.hostnames` | Hostnames for the HTTPRoute. | `[]` | +| `gatewayAPI.core.httpRoute.parentRefs` | ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources. | `[]` | +| `gatewayAPI.nginx.clientSettingsPolicy.enabled` | Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`. | `false` | +| `gatewayAPI.nginx.clientSettingsPolicy.annotations` | Additional annotations for the ClientSettingsPolicy. | `{}` | +| `gatewayAPI.nginx.clientSettingsPolicy.labels` | Additional labels for the ClientSettingsPolicy. | `{}` | +| `gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize` | ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used. | `""` | +| `gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout` | ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used. | `""` | +| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests` | KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used. | `nil` | +| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime` | KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used. | `""` | +| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout` | KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""` | +| `gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout` | KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. | `""` | + ### Service | Name | Description | Value | diff --git a/templates/_backendTLSPolicy.tpl b/templates/_backendTLSPolicy.tpl new file mode 100644 index 0000000..5f3b0c6 --- /dev/null +++ b/templates/_backendTLSPolicy.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* annotations */}} + +{{- define "athens-proxy.backendTLSPolicy.annotations" -}} +{{ include "athens-proxy.annotations" . }} +{{- if .Values.gatewayAPI.core.backendTLSPolicy.annotations }} +{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.annotations }} +{{- end }} +{{- end }} + +{{/* enabled */}} + +{{- define "athens-proxy.backendTLSPolicy.enabled" -}} +{{- if and .Values.gatewayAPI.enabled + .Values.gatewayAPI.core.backendTLSPolicy.enabled + .Values.services.http.enabled +-}} +true +{{- else -}} +false +{{- end -}} +{{- end }} + +{{/* labels */}} + +{{- define "athens-proxy.backendTLSPolicy.labels" -}} +{{ include "athens-proxy.labels" . }} +{{- if .Values.gatewayAPI.core.backendTLSPolicy.labels }} +{{ toYaml .Values.gatewayAPI.core.backendTLSPolicy.labels }} +{{- end }} +{{- end }} diff --git a/templates/_clientSettingsPolicy.tpl b/templates/_clientSettingsPolicy.tpl new file mode 100644 index 0000000..d330175 --- /dev/null +++ b/templates/_clientSettingsPolicy.tpl @@ -0,0 +1,31 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* annotations */}} + +{{- define "athens-proxy.clientSettingsPolicy.annotations" -}} +{{ include "athens-proxy.annotations" . }} +{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }} +{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.annotations }} +{{- end }} +{{- end }} + +{{/* enabled */}} + +{{- define "athens-proxy.clientSettingsPolicy.enabled" -}} +{{- if and (eq (include "athens-proxy.httpRoute.enabled" $) "true") + .Values.gatewayAPI.nginx.clientSettingsPolicy.enabled +-}} +true +{{- else -}} +false +{{- end -}} +{{- end }} + +{{/* labels */}} + +{{- define "athens-proxy.clientSettingsPolicy.labels" -}} +{{ include "athens-proxy.labels" . }} +{{- if .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }} +{{ toYaml .Values.gatewayAPI.nginx.clientSettingsPolicy.labels }} +{{- end }} +{{- end }} diff --git a/templates/_httpRoute.tpl b/templates/_httpRoute.tpl new file mode 100644 index 0000000..dcc47bd --- /dev/null +++ b/templates/_httpRoute.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* annotations */}} + +{{- define "athens-proxy.httpRoute.annotations" -}} +{{ include "athens-proxy.annotations" . }} +{{- if .Values.gatewayAPI.core.httpRoute.annotations }} +{{ toYaml .Values.gatewayAPI.core.httpRoute.annotations }} +{{- end }} +{{- end }} + +{{/* enabled */}} + +{{- define "athens-proxy.httpRoute.enabled" -}} +{{- if and .Values.gatewayAPI.enabled + .Values.gatewayAPI.core.httpRoute.enabled + .Values.services.http.enabled +-}} +true +{{- else -}} +false +{{- end -}} +{{- end }} + +{{/* labels */}} + +{{- define "athens-proxy.httpRoute.labels" -}} +{{ include "athens-proxy.labels" . }} +{{- if .Values.gatewayAPI.core.httpRoute.labels }} +{{ toYaml .Values.gatewayAPI.core.httpRoute.labels }} +{{- end }} +{{- end }} diff --git a/templates/_services.tpl b/templates/_services.tpl index 996e3a7..9eba677 100644 --- a/templates/_services.tpl +++ b/templates/_services.tpl @@ -24,6 +24,6 @@ app.kubernetes.io/service-name: http {{- define "athens-proxy.services.http.name" -}} {{- if .Values.services.http.enabled -}} -{{ include "athens-proxy.fullname" . }}-http +{{ include "athens-proxy.fullname" . }} {{- end -}} {{- end -}} \ No newline at end of file diff --git a/templates/backendTLSPolicy.yaml b/templates/backendTLSPolicy.yaml new file mode 100644 index 0000000..82f7f3a --- /dev/null +++ b/templates/backendTLSPolicy.yaml @@ -0,0 +1,25 @@ +{{- if eq (include "athens-proxy.backendTLSPolicy.enabled" $) "true" }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: BackendTLSPolicy +metadata: + {{- with (include "athens-proxy.backendTLSPolicy.annotations" . | fromYaml) }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with (include "athens-proxy.backendTLSPolicy.labels" . | fromYaml) }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "athens-proxy.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + targetRefs: + - group: "" + kind: Service + name: {{ include "athens-proxy.services.http.name" . }} + {{- with .Values.gatewayAPI.core.backendTLSPolicy.validation }} + validation: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/templates/clientSettingsPolicy.yaml b/templates/clientSettingsPolicy.yaml new file mode 100644 index 0000000..ab6ecf7 --- /dev/null +++ b/templates/clientSettingsPolicy.yaml @@ -0,0 +1,50 @@ +{{- if eq (include "athens-proxy.clientSettingsPolicy.enabled" $) "true" }} +apiVersion: gateway.nginx.org/v1alpha1 +kind: ClientSettingsPolicy +metadata: + {{- with (include "athens-proxy.clientSettingsPolicy.annotations" . | fromYaml) }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with (include "athens-proxy.clientSettingsPolicy.labels" . | fromYaml) }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "athens-proxy.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: {{ include "athens-proxy.fullname" . }} + {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize + .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout + }} + body: + {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize }} + maxSize: {{ . }} + {{- end }} + {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout }} + timeout: {{ . }} + {{- end }} + {{- end }} + {{- if or .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests + .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime + .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout + .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout + }} + keepAlive: + {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests }} + requests: {{ . }} + {{- end }} + {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime }} + time: {{ . }} + {{- end }} + {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout }} + timeout: {{ . }} + {{- end }} + {{- with .Values.gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout }} + minTimeout: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/templates/httpRoute.yaml b/templates/httpRoute.yaml new file mode 100644 index 0000000..892c538 --- /dev/null +++ b/templates/httpRoute.yaml @@ -0,0 +1,36 @@ +{{- if eq (include "athens-proxy.httpRoute.enabled" $) "true" }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + {{- with (include "athens-proxy.httpRoute.annotations" . | fromYaml) }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with (include "athens-proxy.httpRoute.labels" . | fromYaml) }} + labels: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "athens-proxy.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + {{- with .Values.gatewayAPI.core.httpRoute.hostnames }} + hostnames: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.gatewayAPI.core.httpRoute.parentRefs }} + parentRefs: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + - backendRefs: + - kind: Service + name: {{ include "athens-proxy.services.http.name" . }} + namespace: {{ .Release.Namespace }} + port: {{ .Values.services.http.port }} + weight: 1 + {{- with .Values.gatewayAPI.core.httpRoute.matches }} + matches: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/unittests/backendTLSPolicy/backendTLSPolicy.yaml b/unittests/backendTLSPolicy/backendTLSPolicy.yaml new file mode 100644 index 0000000..df2369d --- /dev/null +++ b/unittests/backendTLSPolicy/backendTLSPolicy.yaml @@ -0,0 +1,130 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: backendTLSPolicy template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/backendTLSPolicy.yaml +tests: +- it: Skip rendering when disabled 1/6 + set: + gatewayAPI.enabled: false + gatewayAPI.core.backendTLSPolicy.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 2/6 + set: + gatewayAPI.enabled: true + gatewayAPI.core.backendTLSPolicy.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 3/6 + set: + gatewayAPI.enabled: false + gatewayAPI.core.backendTLSPolicy.enabled: true + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 4/6 + set: + gatewayAPI.enabled: false + gatewayAPI.core.backendTLSPolicy.enabled: false + services.http.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 5/6 + set: + gatewayAPI.enabled: true + gatewayAPI.core.backendTLSPolicy.enabled: false + services.http.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 6/6 + set: + gatewayAPI.enabled: true + gatewayAPI.core.backendTLSPolicy.enabled: true + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Render default values + set: + gatewayAPI.enabled: true + gatewayAPI.core.backendTLSPolicy.enabled: true + services.http.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: gateway.networking.k8s.io/v1 + kind: BackendTLSPolicy + name: athens-proxy-unittest + namespace: testing + - contains: + path: spec.targetRefs + content: + group: "" + kind: Service + name: athens-proxy-unittest-http + - notExists: + path: spec.validation.caCertificateRefs + +- it: Render with custom annotations and labels + set: + gatewayAPI.enabled: true + gatewayAPI.core.backendTLSPolicy: + enabled: true + annotations: + foo: bar + labels: + bar: foo + services.http.enabled: true + asserts: + - equal: + path: metadata.annotations + value: + foo: bar + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: athens-proxy-unittest + app.kubernetes.io/name: athens-proxy + app.kubernetes.io/version: 0.1.0 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: athens-proxy-0.1.0 + bar: foo + +- it: Render with custom validation + set: + gatewayAPI.enabled: true + gatewayAPI.core.backendTLSPolicy.enabled: true + gatewayAPI.core.backendTLSPolicy.validation: + caCertificateRefs: + - group: "" + kind: Secret + name: athens-proxy-ca + hostname: athens-proxy.svc.cluster.local + services.http.enabled: true + asserts: + - isSubset: + path: spec.validation + content: + caCertificateRefs: + - group: "" + kind: Secret + name: athens-proxy-ca diff --git a/unittests/clientSettingsPolicy/clientSettingsPolicy.yaml b/unittests/clientSettingsPolicy/clientSettingsPolicy.yaml new file mode 100644 index 0000000..6d034b9 --- /dev/null +++ b/unittests/clientSettingsPolicy/clientSettingsPolicy.yaml @@ -0,0 +1,190 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: ClientSettingsPolicy template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/clientSettingsPolicy.yaml +tests: +- it: Skip rendering when disabled 1/8 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: false + gatewayAPI.nginx.clientSettingsPolicy.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 2/8 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: false + gatewayAPI.nginx.clientSettingsPolicy.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 3/8 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: true + gatewayAPI.nginx.clientSettingsPolicy.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 4/8 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: false + gatewayAPI.nginx.clientSettingsPolicy.enabled: true + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 5/8 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: false + gatewayAPI.nginx.clientSettingsPolicy.enabled: false + services.http.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 6/8 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + gatewayAPI.nginx.clientSettingsPolicy.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 7/8 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: false + gatewayAPI.nginx.clientSettingsPolicy.enabled: true + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 8/8 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: false + gatewayAPI.nginx.clientSettingsPolicy.enabled: false + services.http.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Render default values + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + gatewayAPI.nginx.clientSettingsPolicy.enabled: true + services.http.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: gateway.nginx.org/v1alpha1 + kind: ClientSettingsPolicy + name: athens-proxy-unittest + namespace: testing + - notExists: + path: metadata.annotations + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: athens-proxy-unittest + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: athens-proxy + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: athens-proxy-0.1.0 + - isSubset: + path: spec.targetRef + content: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: athens-proxy-unittest + - notExists: + path: spec.body + - notExists: + path: spec.keepAlive + +- it: Render custom annotations and labels + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + gatewayAPI.nginx.clientSettingsPolicy: + enabled: true + annotations: + foo: "bar" + labels: + bar: "foo" + services.http.enabled: true + asserts: + - equal: + path: metadata.annotations + value: + foo: "bar" + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: athens-proxy-unittest + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: athens-proxy + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: athens-proxy-0.1.0 + bar: "foo" + +- it: Render with custom body settings + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + gatewayAPI.nginx.clientSettingsPolicy: + enabled: true + clientMaxBodySize: 10m + clientBodyTimeout: 30s + services.http.enabled: true + asserts: + - isSubset: + path: spec.body + content: + maxSize: 10m + timeout: 30s + - notExists: + path: spec.keepAlive + +- it: Render with custom keepAlive settings + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + gatewayAPI.nginx.clientSettingsPolicy: + enabled: true + keepaliveRequests: 100 + keepaliveTime: 60s + keepaliveTimeout: 60s + keepaliveMinTimeout: 10s + services.http.enabled: true + asserts: + - notExists: + path: spec.body + - isSubset: + path: spec.keepAlive + content: + requests: 100 + time: 60s + timeout: 60s + minTimeout: 10s diff --git a/unittests/httpRoute/httpRoute.yaml b/unittests/httpRoute/httpRoute.yaml new file mode 100644 index 0000000..b228e72 --- /dev/null +++ b/unittests/httpRoute/httpRoute.yaml @@ -0,0 +1,194 @@ +chart: + appVersion: 0.1.0 + version: 0.1.0 +suite: HTTPRoute template +release: + name: athens-proxy-unittest + namespace: testing +templates: +- templates/httpRoute.yaml +tests: +- it: Skip rendering when disabled 1/6 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 2/6 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: false + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 3/6 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: true + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 4/6 + set: + gatewayAPI.enabled: false + gatewayAPI.core.httpRoute.enabled: false + services.http.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 5/6 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: false + services.http.enabled: true + asserts: + - hasDocuments: + count: 0 + +- it: Skip rendering when disabled 6/6 + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + services.http.enabled: false + asserts: + - hasDocuments: + count: 0 + +- it: Rendering default values + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + services.http.enabled: true + asserts: + - hasDocuments: + count: 1 + - containsDocument: + apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + name: athens-proxy-unittest + namespace: testing + - notExists: + path: metadata.annotations + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: athens-proxy-unittest + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: athens-proxy + app.kubernetes.io/version: 0.1.0 + helm.sh/chart: athens-proxy-0.1.0 + - notExists: + path: spec.hostnames + - notExists: + path: spec.parentRefs + - contains: + path: spec.rules[0].backendRefs + content: + kind: Service + name: athens-proxy-unittest-http + namespace: testing + port: 3000 + weight: 1 + - contains: + path: spec.rules[0].matches + content: + path: + type: PathPrefix + value: / + +- it: Rendering custom annotations and labels + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute: + enabled: true + annotations: + foo: bar + labels: + bar: foo + services.http.enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: metadata.annotations + value: + foo: bar + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: athens-proxy-unittest + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: athens-proxy + app.kubernetes.io/version: 0.1.0 + bar: foo + helm.sh/chart: athens-proxy-0.1.0 + +- it: Rendering custom service port + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute.enabled: true + services.http: + enabled: true + port: 9090 + asserts: + - equal: + path: spec.rules[0].backendRefs[0].port + value: 9090 + +- it: Rendering custom matches + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute: + enabled: true + matches: + - path: + type: PathPrefix + value: /foo + services.http.enabled: true + asserts: + - contains: + path: spec.rules[0].matches + content: + path: + type: PathPrefix + value: /foo + +- it: Rendering custom hostnames and parentRefs + set: + gatewayAPI.enabled: true + gatewayAPI.core.httpRoute: + enabled: true + hostnames: + - athens-proxy.example.local + parentRefs: + - name: gateway + namespace: testing + kind: Gateway + sectionName: athens-proxy-debug-gateway + services.http.enabled: true + asserts: + - lengthEqual: + path: spec.hostnames + count: 1 + - contains: + path: spec.hostnames + content: + athens-proxy.example.local + - lengthEqual: + path: spec.parentRefs + count: 1 + - contains: + path: spec.parentRefs + content: + name: gateway + namespace: testing + kind: Gateway + sectionName: athens-proxy-debug-gateway diff --git a/values.yaml b/values.yaml index 77a1af6..5b7ab1a 100644 --- a/values.yaml +++ b/values.yaml @@ -1,4 +1,5 @@ # Declare variables to be passed into your templates. + ## @section Global ## @param nameOverride Individual release name suffix. ## @param fullnameOverride Override the complete release name logic. @@ -520,6 +521,72 @@ deployment: # secret: # secretName: my-secret + +## @section GatewayAPI +gatewayAPI: + ## @param gatewayAPI.enabled Enable the Gateway API resources. Requires Kubernetes v1.19 or higher, the CRD's and a compatible gateway controller. + enabled: false + + core: + ## @param gatewayAPI.core.backendTLSPolicy.enabled Enable the BackendTLSPolicy resource. Requires also `gatewayAPI.enabled` to be `true`. + ## @param gatewayAPI.core.backendTLSPolicy.annotations Additional annotations for the BackendTLSPolicy. + ## @param gatewayAPI.core.backendTLSPolicy.labels Additional labels for the BackendTLSPolicy. + ## @param gatewayAPI.core.backendTLSPolicy.validation Validation configuration for the BackendTLSPolicy. For example, you can specify a trusted CA certificate to validate the TLS connection between the gateway and the athens-proxy pod. + backendTLSPolicy: + enabled: false + annotations: {} + labels: {} + validation: {} + # caCertificateRefs: + # - group: "" + # kind: Secret + # name: "athens-proxy-ca" + # hostname: "athens-proxy" + + ## @param gatewayAPI.core.httpRoute.enabled Enable the HTTPRoute resource. Requires also `gatewayAPI.enabled` and `services.http.enabled` to be `true`. + ## @param gatewayAPI.core.httpRoute.annotations Additional annotations for the HTTPRoute. + ## @param gatewayAPI.core.httpRoute.labels Additional labels for the HTTPRoute. + ## @param gatewayAPI.core.httpRoute.hostnames Hostnames for the HTTPRoute. + ## @skip gatewayAPI.core.httpRoute.matches Match conditions for the HTTPRoute. You can specify path based match conditions to route traffic to the athens-proxy service. + ## @param gatewayAPI.core.httpRoute.parentRefs ParentRefs for the HTTPRoute. You can specify parentRefs to bind the HTTPRoute to specific Gateway resources. + httpRoute: + enabled: false + annotations: {} + labels: {} + hostnames: [] + matches: + - path: + type: PathPrefix + value: / + parentRefs: [] + # - name: gateway + # kind: Gateway + # group: gateway.networking.k8s.io + # namespace: default + # sectionName: athens-proxy-http + + nginx: + ## @param gatewayAPI.nginx.clientSettingsPolicy.enabled Enable the ClientSettingsPolicy resource. Requires also `gatewayAPI.enabled` to be `true`. + ## @param gatewayAPI.nginx.clientSettingsPolicy.annotations Additional annotations for the ClientSettingsPolicy. + ## @param gatewayAPI.nginx.clientSettingsPolicy.labels Additional labels for the ClientSettingsPolicy. + ## @param gatewayAPI.nginx.clientSettingsPolicy.clientMaxBodySize ClientMaxBodySize sets the maximum allowed size of the client request body. If not specified, the default of the nginx gateway controller is used. + ## @param gatewayAPI.nginx.clientSettingsPolicy.clientBodyTimeout ClientBodyTimeout sets the timeout for reading the client request body. If not specified, the default of the nginx gateway controller is used. + ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveRequests KeepaliveRequests sets the maximum number of requests that can be served through one keepalive connection. If not specified, the default of the nginx gateway controller is used. + ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTime KeepaliveTime sets the time a keepalive connection is kept open. If not specified, the default of the nginx gateway controller is used. + ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveTimeout KeepaliveTimeout sets the time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. + ## @param gatewayAPI.nginx.clientSettingsPolicy.keepaliveMinTimeout KeepaliveMinTimeout sets the minimum time a client has to wait for the response of a request until the connection is closed. If not specified, the default of the nginx gateway controller is used. + clientSettingsPolicy: + enabled: false + annotations: {} + labels: {} + clientMaxBodySize: "" + clientBodyTimeout: "" + keepaliveRequests: + keepaliveTime: "" + keepaliveTimeout: "" + keepaliveMinTimeout: "" + + ## @section Horizontal Pod Autoscaler (HPA) # In order for the HPA to function successfully, a metric server is required, especially for resource consumption. The # metric server enables the CPU and memory utilisation to be recorded. If such a metric server is not available, the HPA @@ -551,6 +618,7 @@ hpa: minReplicas: 1 maxReplicas: 10 + ## @section Ingress ingress: ## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled. @@ -562,7 +630,7 @@ ingress: annotations: {} labels: {} - ## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k. + ## @param ingress.hosts Ingress specific configuration. ## @skip ingress.hosts Skip individual host configuration. hosts: [] # - host: athens-proxy.example.local @@ -570,7 +638,7 @@ ingress: # - path: / # pathType: Prefix - ## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``. + ## @param ingress.tls Ingress TLS settings. ## @skip ingress.tls Skip individual TLS configuration. tls: [] # - secretName: athens-proxy-http-tls